Active JIT Debugger popup, some redirect attempts,

crunchie · 2010/04/21

Those files that Combofix just removed were files that you told me earlier did not exist on your PC.
I think it would be a good idea now to check that the others are not really there.

1. Please open Notepad

Click Start , then Run

Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

File::
c:\windows\system32\drivers\fwmokwix.sys
c:\windows\system32\drivers\nofyjr.sys
c:\windows\system32\drivers\ffhnnt.sys
c:\windows\system32\drivers\pjgs.sys
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

MedicineMan · 2010/04/22

CF Log

ComboFix 10-04-20.01 - Daniel 21/04/2010 21:44:53.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1599 [GMT -7:00]
Running from: c:\documents and settings\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daniel\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

FILE ::
"c:\windows\system32\drivers\ffhnnt.sys "
"c:\windows\system32\drivers\fwmokwix.sys "
"c:\windows\system32\drivers\nofyjr.sys "
"c:\windows\system32\drivers\pjgs.sys "
.

((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-22 01:52 . 2010-04-22 01:52 -------- d-----w- c:\program files\Ventrilo
2010-04-21 03:14 . 2010-04-21 03:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-21 03:12 . 2010-04-21 09:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-21 02:27 . 2010-04-21 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-21 02:27 . 2010-04-21 02:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 02:23 . 2010-04-21 02:23 -------- d-----w- c:\program files\CCleaner
2010-04-20 22:34 . 2010-04-20 22:34 -------- d-----w- c:\program files\Common Files\Java
2010-04-20 22:34 . 2010-04-20 22:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 22:28 . 2010-04-20 22:28 -------- d-----w- c:\program files\Trend Micro
2010-04-20 09:32 . 2010-04-20 09:32 503808 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5b4dcd0e-n\msvcp71.dll
2010-04-20 09:32 . 2010-04-20 09:32 499712 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5b4dcd0e-n\jmc.dll
2010-04-20 09:32 . 2010-04-20 09:32 348160 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5b4dcd0e-n\msvcr71.dll
2010-04-20 09:32 . 2010-04-20 09:32 61440 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-186b105f-n\decora-sse.dll
2010-04-20 09:32 . 2010-04-20 09:32 12800 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-186b105f-n\decora-d3d.dll
2010-04-20 06:24 . 2010-04-20 06:24 52224 ----a-w- c:\documents and settings\Daniel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-20 06:24 . 2010-04-20 06:24 117760 ----a-w- c:\documents and settings\Daniel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-20 06:24 . 2010-04-20 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-20 06:24 . 2010-04-20 06:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-20 06:24 . 2010-04-20 06:24 -------- d-----w- c:\documents and settings\Daniel\Application Data\SUPERAntiSpyware.com
2010-04-20 05:53 . 2010-04-20 05:53 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\PCHealth
2010-04-20 04:28 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 04:28 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 02:20 . 2010-04-20 02:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-20 00:30 . 2010-04-20 00:33 -------- d-----w- c:\documents and settings\Daniel\Application Data\QuickScan
2010-04-20 00:30 . 2010-04-13 22:58 670696 ----a-w- c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\6l37r6un.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-20 00:30 . 2010-04-13 22:58 833960 ----a-w- c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\6l37r6un.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-18 00:27 . 2010-04-18 00:27 -------- d-----w- c:\program files\MSECache
2010-04-01 01:14 . 2010-04-21 10:12 -------- d-----w- c:\program files\QuickTime
2010-04-01 01:04 . 2010-04-01 01:04 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 01:52 . 2008-04-20 20:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-21 20:55 . 2010-03-13 02:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 10:12 . 2008-04-20 19:39 -------- d-----w- c:\program files\Windows Defender
2010-04-21 10:12 . 2010-03-17 21:26 -------- d-----w- c:\program files\iTunes
2010-04-21 01:50 . 2008-09-14 22:28 -------- d-----w- c:\program files\Steam
2010-04-21 01:49 . 2009-03-07 22:41 -------- d-----w- c:\program files\Electronic Arts
2010-04-20 03:01 . 2010-03-13 00:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-20 00:02 . 2008-04-20 18:12 -------- d-----w- c:\program files\Java
2010-04-18 03:20 . 2008-04-20 13:28 68648 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-18 00:21 . 2008-04-20 17:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-10 03:16 . 2008-04-20 20:25 -------- d-----w- c:\program files\World of Warcraft
2010-03-17 21:26 . 2010-03-17 21:26 -------- d-----w- c:\program files\iPod
2010-03-17 21:26 . 2008-04-22 20:09 -------- d-----w- c:\program files\Common Files\Apple
2010-03-17 21:12 . 2010-03-17 21:12 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-13 02:37 . 2010-03-13 02:37 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2010-03-13 02:37 . 2010-03-13 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-11 12:38 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-20 13:17 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2003-03-31 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2003-03-31 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 23:58 . 2009-09-21 10:45 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-05 23:58 . 2008-11-07 02:26 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-26 21:09 . 2009-01-01 07:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-26 10:12 . 2008-04-20 23:04 -------- d-----w- c:\program files\Firaxis Games
2010-02-26 09:55 . 2010-02-26 09:55 -------- d-----w- c:\program files\NTCore
2010-02-24 17:16 . 2009-10-03 21:43 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2003-03-31 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 06:03 . 2010-02-18 10:35 -------- d-----w- c:\documents and settings\Daniel\Application Data\Bioshock
2010-02-16 14:08 . 2003-03-31 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2003-03-31 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-03-31 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-01 20:07 . 2010-02-01 20:07 50812 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-30 16:28 . 2010-01-30 16:27 80820896 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\CCube\tmp\5DFA9AA4868D186099936ED31AE09083.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-21_04.42.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-22 04:55 . 2010-04-22 04:55 16384 c:\windows\temp\Perflib_Perfdata_744.dat
- 2010-04-21 03:21 . 2010-04-21 03:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-21 03:21 . 2010-04-21 09:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-20 13:09 . 2010-04-21 09:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-20 13:09 . 2010-04-21 03:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-20 13:44 . 2007-03-20 06:36 36864 c:\windows\RaidTool\xinside.exe
+ 2010-04-22 01:52 . 2010-04-22 01:52 683520 c:\windows\Installer\f21f9.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-29 2012912]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-15 813584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^ImpulseNow.lnk]
backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-07-19 00:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMax]
2006-07-13 14:12 729088 ------w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-12-18 13:34 868352 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-21 00:42 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe "=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe "=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe "=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe "=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe "=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe "=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe "=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\World of Warcraft\\Launcher.exe "=
"c:\\Program Files\\Stardock Games\\Demigod\\bin\\Demigod.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"e:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe "=
"e:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe "=
"e:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe "=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe "=
"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 AM 66632]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [08/10/2008 1:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [08/10/2008 1:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [08/10/2008 1:21 AM 72728]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 AM 12872]
S0 vjouhr;vjouhr; [x]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [30/03/2009 9:43 AM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [08/10/2008 1:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [08/10/2008 1:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [08/10/2008 1:21 AM 72728]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [10/11/2009 9:32 PM 25832]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-19 00:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 20:34]

2010-04-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\6l37r6un.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 21:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1364589140-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:0c,5c,36,0a,16,fd,e2,23,5e,6b,73,ae,14,e6,c8,b2,30,2f,7c,7d,ac,81,3f,
98,e5,45,cf,18,0b,e0,92,8d,58,51,98,a8,5c,9a,fa,52,71,ad,c1,41,84,f5,7a,77,\
"?? "=hex:70,5e,60,27,e0,37,97,7c,31,94,d2,11,dc,99,f9,41

[HKEY_USERS\S-1-5-21-1482476501-1364589140-839522115-1004\Software\SecuROM\License information*]
"datasecu "=hex:64,e7,17,6c,42,41,19,c6,45,a9,74,eb,24,66,7f,e1,35,b3,38,5c,9a,
d8,b8,7d,73,45,10,c1,ab,8a,f8,e3,28,bd,d2,11,b4,e6,ab,ba,9e,dc,6e,7e,43,2f,\
"rkeysecu "=hex:09,91,86,71,00,4d,a4,58,c5,d3,d5,c1,d7,f3,b4,a8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-04-21 21:59:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 04:58
ComboFix2.txt 2010-04-22 01:40
ComboFix3.txt 2010-04-21 10:47
ComboFix4.txt 2010-04-21 04:45

Pre-Run: 121,870,082,048 bytes free
Post-Run: 121,832,140,800 bytes free

- - End Of File - - ED7371F8DD83DC9D388A9D00BBB993FE

MedicineMan · 2010/04/22

Oddities

There were some oddities on this scan, Crunchie.

When I tried to run ComboFix the first time, my machine hung up while shutting down (shutdown initiated by CF). After sitting on my hands for 15 minutes, with the computer at the Windows Shutting Down screen and minimal hard drive activity, I rebooted it. Got a blue screen on restart and the OS recovered to right before the scan.

Second attempt, the same thing happened; OS hung while shutting down. Ended up rebooting again but the OS loaded this time, CF wrapped up and generated the above log.

Not sure if I did the right thing. Not sure if this means anything to you. I do notice that the 4 supposedly non-existent .sys files were not so non-existent. Would there be any point to running the CF script again to see if they're really gone?

crunchie · 2010/04/22

Well, the log looks ok now so just try a few reboots to see what happens, then try out the PC to see if it all runs as it should.
Let me know.

MedicineMan · 2010/04/22

It seems to be working fine now. No glaringly suspicious activity. I've noticed the occasional twitch of activity from jqs.exe and rundll32.exe processes but not so much that I'm suspicious; I can't remember how often rundll ran before this batch of problems.

My CA Antivirus suite is not behaving quite like it did before. Its little icon doesn't show up in the icon tray in the bottom right corner and it isn't auto-updating anymore. What's more, I can't see any process in the task manager that belongs to the AV suite. I wonder if it got disabled or even hijacked?

I'm thinking about moving to AvG anyhow, so this may be a moot point. Other than my AV suite being inert, everything seems to be fine. Windows Defender and the phalanx of anti malware/spyware software I have installed are all functioning fine.

crunchie · 2010/04/22

Yeah, you had the vundo file changing infection. It tends to have that affect. If you uninstall CA, I would suggest moving to Comodo or Avast rather than AVG.

====

Let's get rid of Combofix now that we are finished with it.

Click START then RUN

Now type Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

MedicineMan · 2010/04/22

I think your instructions on how to remove ComboFix got truncated somehow, Crunchie.

Thanks for the advice on Antivirus software. I'll look into the ones you suggest. I don't suppose you have a suggestion for some kind of software capable of analyzing my browser(s) and browser plug-ins for vulnerabilities? I think an old version of a java deployment kit plugged into Firefox may have been a factor in my computer getting overrun in the first place.

crunchie · 2010/04/22

I am seeing the uninstall directions correctly.

Go to the Start button the in the Run command, type in Combofix /Uninstall with the space, then hit ok.

Nothing I know of can do what you want. You can install WOT though, which will let you know if the site you are going to is not up-to-par.

Log in or Sign up

Active JIT Debugger popup, some redirect attempts,

crunchie Inactive

MedicineMan Inactive Thread Starter

MedicineMan Inactive Thread Starter

crunchie Inactive

MedicineMan Inactive Thread Starter

crunchie Inactive

MedicineMan Inactive Thread Starter

crunchie Inactive

Share This Page

Log in or Sign up

Active JIT Debugger popup, some redirect attempts,

crunchie Inactive

MedicineMan Inactive Thread Starter

MedicineMan Inactive Thread Starter

crunchie Inactive

MedicineMan Inactive Thread Starter

crunchie Inactive

MedicineMan Inactive Thread Starter

crunchie Inactive

Share This Page

Useful Searches